Meet KeySweeper, the $10 USB charger that steals MS keyboard strokes

It sounds like the stuff of a James Bond flick or something described in documents leaked by former NSA subcontractor Edward Snowden. In fact, the highly stealthy keystroke logger can be built by someone with only slightly above-average technical skills for as little as $10. Called KeySweeper, it's a device disguised as a functioning USB wall charger that sniffs, decrypts, logs, and transmits all input typed into a Microsoft wireless keyboard.

KeySweeper follows the same path. Unveiled on Monday, it provides the software and hardware specifications for building a highly stealthy sniffing device that plucks out every keystroke inputted to a Microsoft wireless keyboard. The device can either log the input on a chip for physical retrieval later, or it can use an optional GSM chip to transmit the keystrokes wirelessly to the attacker. For maximum efficiency, it can be programmed to send the operator SMS messages whenever certain keywords—think "bankofamerica.com," "confidential," or "password"—are entered. The entire sniffing device can be stashed inside an AC USB charger that powers the device. It recharges when plugged in and runs off of battery when not connected to a power source. To people being spied on, it looks like just another USB charger plugged into a wall socket.

The guts of the hardware is an Arduino or Teensy microcontroller and an nRF24L01+ radio frequency chip. While the chips are designed to communicate only over proprietary protocols, Kamkar figured out how to modify them to promiscuously sniff Microsoft keyboards by borrowing from previous sniffing attacks. Other optional hardware components include an SPI Serial Flash chip for storing keystrokes, an Adafruit FONA board, A SIM card, and a 3.7V Lithium-Ion battery. Most of the available software runs on the microcontroller, but Kamkar also provides web-based backend apps that remotely log keystrokes and provide a Web interface for live monitoring of targeted keyboards.

Key stashed under the door mat

The weakness that makes exploits like KeySweeper possible is encryption routines built into Microsoft wireless keyboards that can fairly be described as lackadaisical. Keystrokes are encoded with the XOR algorithm using the keyboard MAC address as the key. Since the nRF24L01+ chip can read the MAC address, the measure provides little security against moderately determined hackers. To make things even easier on attackers, all Microsoft keyboards begin with 0xCD as the MAC. As a result, even if an attacker doesn't know the MAC address, we can decrypt a keystroke, as the alignment will never change, and 0xCD is always the first byte of the MAC (see the section subtitled "Decrypting Keystrokes" for more on this).

A slide from a presentation on an earlier Microsoft wireless keyboard exploit called KeyKeriki showing part of the decryption process.

Further Reading

The inadequate XOR encryption baked into Microsoft wireless keyboards isn't new. The weakness was brought to light a few years ago by previous white hats Travis Goodspeed, Thorsten Schröder, and Max Moser. Those earlier exploits, however, required much larger computers that consumed much more power, making an inexpensive, highly stealthy, and always-on device like KeySweeper infeasible. Kamkar's contribution is applying the previous work to build a sniffer that a janitor, co-worker, or other person can surreptitiously plant within range of a targeted keyboard and then walk away. KeySweeper makes the perfect companion to CreepyDOL, a low-cost DIY tool for stalking mobile Wi-Fi users.

Readers who want to protect themselves against KeySweeper-style attacks should permanently eschew the use of Microsoft wireless keyboards, update: or at least test their Microsoft wireless keyboard against KeySweeper-style exploits to ensure it's not vulnerable. The keyboard Kamkar tested for his research was a brand new model purchased two weeks ago from a Best Buy store, so there's ample evidence the attack works against at least some Microsoft keyboards. That said, an Ars reader has pointed this this 2011 article reporting the release of a Microsoft keyboard with 128-bit AES encryption. Microsoft's website lists only a single model of keyboard that offers that protection.

Wired keyboards and wireless keyboards based on Bluetooth are immune to this class of attack. That's not to say this latter category of keyboards aren't susceptible to sniffing hacks that monitor electromagnetic radiation and vibrational patterns, but those types of attacks are much more theoretical and much harder to carry out in practice. KeySweeper, by contrast, is ready now. As Kamkar joked in his writeup:

My friend Dana lent me her doll soldering iron. I don't quite understand what she uses it for, but it's a soldering iron with an attachable razor. This is great for cutting through plastic, and dolls, I presume. She took the iron back as soon as I explained what the device would do. Apparently she does not support this, though I'm not sure why. I'm sure I'll find out after I sniff more keystrokes from her keyboard.

Update: Microsoft has issued the following statement:

Keyboards from multiple manufacturers are affected by this device. Where Microsoft keyboards are concerned, customers using our Bluetooth-enabled keyboards are protected from this type of attack. In addition, users of our 2.4GHz wireless keyboard designs from July 2011 onwards are also protected because these keyboards use Advance Encryption Standard (AES) technology.

Promoted Comments

MS keyboard insecurity has been a thing for a considerable length of time.

Sometime around the middle of the last decade, I helped a company (who inputs and keeps a large amount of very sensitive client information) with their desktop upgrade cycle. One of the things that the big UPS truck delivered was a pallet of MS wireless keyboard/mice. As I saw every user in the building get one of those long red boxes I had the gut feel that I wouldn't want to be using any of their services, though I hadn't done any research.

A couple of months later I saw an article describing how some hacker conference demoed an almost-automatic decrypt tool. I took the article to the account rep, who thanked me for my concern. A few months after that I was back at the same company and saw them using the same, basically insecure gear. Asked my boss about it and was basically told to shut up. Wish I could say I did something courageous but it was a bad year and I was new and keeping my head down.

Don't know if anything bad ever happened, but it was an amazingly flagrant attack surface.

At the time, MS offered one or two bluetooth models that were advertised as having 60-bit encryption, and the rest were merely labeled as "encrypted". I can't find the link any more, but essentially there were 256 possible keys across all the manufactured devices, and there was no key rotation as long as the power was on. Easy enough to try all keys on even a short string and throw out anything that violates some basic ascii grammar rules, which left a very few that the hacker could manually screen. It wasn't quite the automatic tool this was, but as described I felt like I could probably write the decrypt tool with my pathetic undergrad CS experience. Picking the signals out of the air would have been the hard part.

It's incredibly depressing that so many years later, MS is using (essentially) the same virtually-useless algorithm. With current technologies doing this part right should be incredibly easy, if perhaps sightly harder on the batteries.

It's even more depressing that most of the people I've explained the problems with the basic MS models to ultimately decide that not having ugly wires on their desk is more important.